Secunia Blog

Microsoft Windows Insecure Library Loading

For the past week, there has been quite a stir about a new class of vulnerabilities or rather a new, remote vector for exploiting an old class of vulnerabilities: Insecure library loading.

This vulnerability class has been known for many years, but hasn't been taken that seriously in the past as it was believed to require an attacker to plant a malicious file in a directory within the search path on a user's system. However, the discovery of the remote vector just made this serious.

Yesterday, Microsoft issued a security advisory to warn about the remote attack vector along with blogs containing additional information from the MSRC and SRD teams.

The vulnerability is not in the Windows OS itself, but is caused by bad (insecure) programming practises in applications when loading libraries combined with how the library search order works in Windows. Ideally, when loading a library (or running an executable), a fully qualified path should be passed to the APIs used (e.g. LoadLibrary()). In case a programmer refrains from doing so and only supplies the library name, Windows searches for the file in a number of directories in a particular order.

These directories may include the current working directory, which leads to the core of the problem related to the new, remote attack vector as Windows eventually searches for the file on e.g. a remote SMB or WebDAV share if that happens to be the current directory. This is the case if a user e.g. is tricked into opening a file located on a remote share. By placing a malicious library, which a vulnerable application searches for, on the share it is loaded into the application and code is executed with the privileges of the user running it.

As the core problem is not in Windows, but rather caused by applications loading libraries insecurely (i.e. not supplying a fully qualified path or not initially calling SetDllDirectory() with a blank path), Secunia will not be issuing a general advisory for Windows. Instead, (likely, quite a lot of) advisories will be issued as affected applications are identified.

Currently, we are seeing reports from various researchers having identified everywhere between 40 to 200 vulnerable applications, but the actual number may be a lot higher as many programmers do not follow Microsoft's recommendation for secure library loading (this includes Microsoft's own programmers as, according to HD Moore, at least four affected Microsoft applications have been identified).

ACROS Security has already reported this vulnerability for Apple iTunes and it was fixed in version 9.1. HD Moore has also identified a large number of affected applications, but has not disclosed the list; instead, he has made an audit kit available to determine affected applications.

To protect against attacks, Microsoft has released a tool that helps system administrators and users to configure the search path order either on a per application basis or system-wide.

Companies can also mitigate remote exploitation by ensuring that SMB traffic is disabled on perimeter firewalls (TCP ports 139 and 445) and disable the WebClient service on all systems.

As this vulnerability is related to a general design problem, Windows security mechanisms like ASLR etc. provide no protection. It's simply a matter of opening a file located on e.g. a remote share using a vulnerable application and you're owned.

Stay Secure,

Carsten Eiram Chief Security Specialist

Discuss this blog entry

A new thread in our forum is created. Activate the thread by commenting/discussing below.

As someone with just enough IT knowledge to be dangerous , I find this level of "unknown" insecurity to be very disconcerting :ie: 200 or more - so far - unnamed programmes likely to be exploitable .

With my (less than) average technical skill levels , I would not be overconfident of applying the M$ "tool" workaround(s) to my single PC with XP SP3 . Rightly or wrongly , it appears to me that I am less at risk because I am not connected to a network ; perhaps someone can qualify this ??

Firefox has just been implicated and is seemingly the first programme to affect me directly :-

So for now I shall be putting my faith in Secunia to keep me advised of when/if any other of my programmes display the vulnerability . It's easily the best defence I can find to suit my level of competence .

Quite what people without (access) to Secunia are going to do , I have no idea , but I doubt blind faith is the answer for today .

If you are on the internet, you are on a network; albeit, a large one (a WAN). You are probably thinking of a local network such as a home network (LAN). They are both networks though, and you are vulnerable if you connect to the internet.

The knowledge base article has also been updated to include an automatic Fixit which blocks attacks from remote locations.http://support.microsoft.com/kb/2264107
The workaround tool must be installed before running the Fixit.

The knowledge base article has also been updated to include an automatic Fixit which blocks attacks from remote locations.http://support.microsoft.com/kb/2264107
The workaround tool must be installed before running the Fixit.

Fix includes results for multiple versions of windows and uses Microsoft Fix It, and a hotfix for each respective OS.